An Introduction to Security Issues

The Ruckus Society

The Ruckus Society has been working with a team of security experts from our network to evaluate and develop stronger security protocols in 2008. Megan Swoboda, Managing Director at Ruckus, sat down with two of her security team members, Allen Gunn of Aspiration (who is also a member of the Ruckus Board), and Dan Spalding of Midnight Special Law Collective, to discuss why we should all take steps to improve our security – and not just for our own sakes, but also for each others’.


Why should people care about security?

As information becomes a more critical part of the work we do and the power we build, we need to be aware of the vulnerability of the information we create. When people talk about security it’s really a matter of your expectation of privacy and being able to communicate over the internet – an infrastructure that’s extensively monitored and extensively insecure. Security is a critical part of doing effective work for any group that uses computers or the internet.


In a digital world, what do we have to be aware of when communicating electronically?

First and foremost, if you’re sending information over email, make sure that you’re doing it in a way that is difficult for people to gain access to. Regular email travels in “plain text,” which means that it’s transmitted across the ‘net in a format that is readable by anyone watching the wire. So if you want security when you send those emails, you should encrypt them, so they’re scrambled in transmission and only unscrambled when received by the (intended) recipient.


What about the physical computers themselves?

At a bare minimum, any computer with any kind of sensitive or important data should have passwords at every level: it should prompt you for a password when you turn it on, when it wakes up out of sleep, and when a screensaver is interrupted. These measures won’t make it bulletproof, but they help assert an expectation of privacy. You’re making it clear that you don’t want anyone to look at your data. Laws are structured around this expectation. To a degree, the more you show you have an expectation of privacy, the more privacy you get.


That said, it is obviously possible for a skilled adversary to steal your computer and gain access to your data without regard to your passwords. That’s why it’s important to encrypt your hard disk, so that someone with physical access to your disk will not be able to unscramble the information on it. Similarly, you’ll need to encrypt your backups, and store them offsite. You also need policies for memory sticks, too.


Can you speak more about this ‘expectation of privacy’ issue?

With the 4th Amendment – our protection from unreasonable search and seizure – a lot of our protections are based on whether we had a “reasonable expectation of privacy.” This includes such things as keeping that information in a locked room, behind one or more passwords, or encrypting it.

People often give up their expectation of privacy without even knowing it. One example is Gmail. Part of Gmail’s terms of use allows Google to crawl your email to place ads targeted specifically to you; the fact that you allow Google this access is potentially giving up your expectation of privacy. (Most other major email providers have similar policies.) So it’s very important that, as you store information and use technology, you assert your expectation of privacy. That way you have a legal defense against a court order to produce information (like a subpoena).

Is it fair to say that not password protecting your computer, or using Gmail, is like leaving your front door unlocked and inviting the FBI in, rather than exercising your right to not answer the door?

Yes, that’s a perfect way of explaining it.

What kind of vulnerabilities do we have in storing our data and how do we determine what should not be stored at all?

Data retention policies are complex because they’re always based on your organization’s needs. You have to think about what information you actually need to keep – and what you can do without. Any information you store could be used against you in the future, or in ways you didn’t intend.

An example of what should almost never be stored is detailed information about who visits your website. It’s important to set your web server up so that it does not, over time, store uniquely identifying data about your site’s individual visitors, which protects your constituents’ privacy.

Another place where there’s tension around data retention concerns donation data. Fundraisers want to retain as much information as they can about supporters in order to do their job more effectively. However, that information is potentially revealing about your donors, and you may want to protect their privacy. There is no single right answer, but it’s important for organizations to figure out how to strike a balance between retaining the data they need while also protecting the privacy of the people who support them.

As the examples above about your website visitors and donors show, the data you store isn’t just about you. If you get targeted in the future, those third parties you have data on may get targeted, too, just for being associated with you.

The key thing is to make sure your organization reflects on data retention and implement a data retention policy that not only follows best practices for privacy and security, but also honors the privacy of the people whose data you store.

A lot of “security” that organizations do consists of making a few random changes to how they operate – like buying a shredder and changing their old passwords. How can we meaningfully approach digital security?

You can think about security awareness in much the same way that you would think about making your house secure: locking your doors, windows, possibly even installing bars on your windows or a second lock on your door. With the internet and computers there is a very large number of virtual eyes watching what you do remotely – and sometimes on your computer itself thro
ugh viruses and spyware. So in the same way that you would lock your house to secure your belongings, you should think about security holistically when managing information and using technology. That way you’ll be protecting not only yourself, but the data of your allies and colleagues that you are storing.

It can be overwhelming to look at a giant list of random “security” practices. It’s more effective to think about your organization’s needs and adversaries, figure out your main vulnerabilities, and begin by addressing them. Having said that, encrypting data and thinking about online communication is going to be relevant for almost every group organizing for social justice.

How do you respond to people who say they have nothing to hide, and worry that by actively hiding data they imply that they’re doing something wrong?

I do not think the act of encrypting implies anything other than asserting your expectation of privacy. It’s like mailing a letter in a sealed envelope instead of writing it on the back of a postcard. If you get a lawful order to turn over encrypted information, you can choose to decrypt it, which is better than the government or corporations reading your messages whenever they feel like it.

There is also a notion of solidarity here. Part of why everyone should encrypt is so that messages encrypted for “important” reasons blend in with everyday communications that are also encrypted. Right now, the people watching the wires can see which emails are encrypted, safely assume that those communications are “important,” and then target the people sending and receiving them. The more that all of us use encryption, the stronger we’ll be as a community, even as the government and the corporations that control the infrastructure of the internet watch our activity online.

People who say they have nothing to hide should consider the possibility that they may at some point in the future want privacy, and so they should start asserting their expectation of privacy now. While some people say, “I have nothing to hide,” I don’t think anyone would say that they don’t have anything that they want to keep private.

What are the top three steps you’d recommend to improve data security?

1. Educate yourself. Find out what these security concepts mean, because you can’t really do anything effective until you become aware of them.

2. Secure your computer and your backup. Put passwords on your computer at all gateways so that anyone coming to your computer needs to authenticate before gaining access to it. And if possible, encrypt your data so that you’re confident that even if someone were to steal your computer (or otherwise gain physical access to it), it’s difficult to impossible for them to see the data stored on it. (Encrypt your backups, too.)

3. Think about internet communication. Be proactive about using encryption, and reconsider what online services (like Google scheduling and collaborative writing) you use.

Anything else?

Anyone who doesn’t think that we as movements for social justice are not being surveilled should look historically at FBI programs like COINTELPRO. Governments have spied on their citizens for decades – in some cases, centuries. Our adversaries – corporations, the U.S. government, and other international governments – all aggressively pursue data over the internet and via physical access to computers.

To the extent that we are trying to build power and be effective as movements, we need to be informed about how vulnerable we are, and take steps to make ourselves and each other more secure. Isn’t that what solidarity is all about?

To learn more about improving your data security, or to inquire about security trainings or materials, please contact The Ruckus Society at